CN110572258B - Cloud password computing platform and computing service method - Google Patents

Cloud password computing platform and computing service method Download PDF

Info

Publication number
CN110572258B
CN110572258B CN201910671174.3A CN201910671174A CN110572258B CN 110572258 B CN110572258 B CN 110572258B CN 201910671174 A CN201910671174 A CN 201910671174A CN 110572258 B CN110572258 B CN 110572258B
Authority
CN
China
Prior art keywords
user
resource management
identity
request
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910671174.3A
Other languages
Chinese (zh)
Other versions
CN110572258A (en
Inventor
林璟锵
王伟
荆继武
郎帆
任良钦
吴鹏一
王琼霄
郑昉昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Data Assurance and Communication Security Research Center of CAS
Original Assignee
Data Assurance and Communication Security Research Center of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Data Assurance and Communication Security Research Center of CAS filed Critical Data Assurance and Communication Security Research Center of CAS
Priority to CN201910671174.3A priority Critical patent/CN110572258B/en
Publication of CN110572258A publication Critical patent/CN110572258A/en
Application granted granted Critical
Publication of CN110572258B publication Critical patent/CN110572258B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloudA cryptographic computing platform and a computing service method. The method comprises the following steps: 1) starting up n physical cipherers to form a cipherer cluster connected to the resource management module; 2) synchronizing the master keys of the n cipherers to make them share the master key K of the ciphererm(ii) a 3) Sending the received key generation request to a cipher machine A; 4) k for cipher machine AmProcessing the user identity in the request to generate a corresponding user master key Ki(ii) a 5) Cipher machine A generates algorithm secret key AKiBy KiFor AKiEncrypting and sending the encrypted data to a resource management module; 6) when user i requests to perform calculation service j, the secret key [ AK ] is utilizedi]KiThe password machine B is added into a request of a user for requesting encryption and decryption or signing and checking and sending; 7) cipher machine B according to identity and K in requestmDecrypting to obtain KiBy using KiFor [ AKi]KiDecrypt and utilize AKiCompleting the computation service j.

Description

Cloud password computing platform and computing service method
Technical Field
The invention relates to the field of network space security, in particular to a cloud password computing platform capable of performing resource management and a computing service method.
Background
Cloud computing: cloud computing is a mode of adding, using and delivering related services based on the internet, generally involving providing dynamic, easily expandable and often virtualized resources through the internet, and is a kind of distributed computing technology, the most basic concept of which is to automatically split a huge computing processing program into numerous smaller subprograms through a network, and then deliver the small subprograms to a huge system composed of multiple servers to search, compute and analyze, and then transmit the processing result back to a user.
The cryptographic computing device: the device provides cryptographic computation services such as symmetric/asymmetric encryption and decryption of data, data integrity verification, digital signature and verification, and generation of keys for users.
A memory database: the memory database is a database which directly operates by putting data in a memory as the name implies. Compared with a magnetic disk, the data read-write speed of the memory is higher by several orders of magnitude, and the application performance can be greatly improved by storing data in the memory compared with accessing from the magnetic disk. By using the memory database, the accurate control and resource scheduling of the flow can be realized on the premise of keeping high performance
The unified authentication architecture comprises: the unified authentication architecture is a general architecture, and provides a general authentication mechanism, which can use the mobile authentication infrastructure used when the user accesses the mobile network for access authorization control of new services, thereby avoiding providing a unique authentication mechanism for each new service. Both the mobile terminal and the service provider can obtain the latest trusted information (i.e. the identifier and the shared key) of each other through the unified authentication architecture, so that mutual authentication can be realized.
Cloud password service: the cloud password service combines the password service with a cloud computing platform, and dynamically expands the password operation capability by dispatching the encryption machine cluster, so that the password operation speed is greatly improved, the system stability is greatly enhanced, and the centralized, virtualized and transparent password operation service is better provided for users. The cloud password service can be applied to the fields of electronic commerce and electronic government with high security and high performance requirements, and the overall robustness, high efficiency and maturity of the system are improved; and the method can be applied to various clouds, centers and cloud nodes, solves the safety problems of local storage, network transmission, identity authentication, data integrity and the like of data, and prevents various fraudulent behaviors on the network from happening. The current password cloud service scheme runs a plurality of virtual password machines on one physical password machine through a virtualization technology, and has the advantages that the password operation capacity is flexibly cut, and the computing capacity of a single physical password machine determines the upper computing limit of the whole platform.
Disclosure of Invention
The invention discloses a novel cloud password computing platform and a computing service method. The cloud password computing platform comprises a physical password machine cluster, a resource management module, an access authentication module and a data storage module. The physical cipher machine provides cipher computing capacity for outside, and mainly comprises national ciphers sm2, sm3 and sm4 cipher operation, and uses self master keys, user master keys and algorithm keys to realize three-layer key system for protection, the access authentication module mainly confirms the identity of a cipher computing request party in a third party unified authentication mode, the data storage module stores various information to be stored, the resource management module is configured in a cloud cipher computing platform resource management server and used for abstracting the physical cipher machine into cipher computing capacity and virtualizing the physical cipher machine into a virtual cipher machine according to the computing capacity applied by a user, and the access authentication module and the data storage module are combined to perform resource scheduling, performance control, request forwarding and load balancing on the cipher computing request.
In addition, the invention also provides a method for providing password computing service for the outside through the resource management module by combining the physical password machine cluster and the data storage module, which comprises the following steps:
and the n physical cipher machines are started to form a physical cipher machine cluster which is connected to the resource management module.
Synchronizing the master keys of n physical cipherers by using the cipher protection card to share the master key K of the ciphererm(ii) a Simultaneous master key KmOnly exists in the cipher machine password protection card.
And thirdly, the resource management server receives the plurality of key generation requests and then sends the key generation requests to the idle physical cipher machine A for operation.
After receiving the key generation request sent by the resource management server, the physical cipher machine A firstly generates the user identity user in each key generation requestidUsing a master key KmProcessing and generating by using sm3Hmac algorithmUser master key K corresponding to useri
Fifthly, the physical cipher machine A generates an algorithm key AK according to the calculation type in the requestiAnd use the user master key KiPair algorithm key AKiEncrypted to obtain [ AKi]Ki
Sixthly, the key [ AK ] generated by the physical cipher cluster1]K1To [ AK ]i]KiAnd sending the i keys back to the resource management module, and storing the i keys in the database corresponding to the user identity.
When user i requests encryption/decryption or signature verification and other functions j, the resource management module takes out the key [ AK ] corresponding to the user i from the databasei]KiAnd adding the encrypted data into a request of a user for encryption and decryption or signature verification, and sending the encrypted data to the idle physical password machine B for calculation through a load balancing strategy.
Eighth, the physical cipher machine B uses the user according to the identity in the requestidAnd a master key KmGenerating the user master key K of the user i through sm3Hmac algorithmiUsing the user master key KiUtilize sm4 algorithm to request [ AKi]KiAnd (5) decrypting and carrying out password calculation to finish the calculation service j.
In addition, the invention also provides a method for the resource management module to collaboratively access the authentication module for authentication, which comprises the following steps:
the cloud user requests password computation from the resource management module.
The resource management module firstly judges whether the current user has a legal identity, and if not, an identity authentication data packet is returned to the cloud user, wherein the information in the identity authentication data packet comprises: client _ id indicates the identity of the resource management server, redirect _ uri indicates the address of the resource management server for receiving the user identity certificate issued by the unified authentication system, response _ type indicates the response format of the unified authentication system requested by the resource management server, scope indicates the range of the user authorization data requested by the resource management server, and nonce is a random number generated in each request.
Thirdly, the cloud user acquires the content returned by the resource management module, adds the user name ' username ' and the password ' into the content and forwards the content to the authentication module for authentication.
And fourthly, the unified authentication module analyzes the content of the data packet and returns a token to the cloud user after the user name and the password of the authenticated user pass, wherein the token is user data encoded in an jwt format, and the user data comprises a platform identity 'authence' used for marking the identity of the application requesting login, a unified authentication address 'issuer' used for marking the identity of the user certification system, a sub used for marking the identity of the user applying for the current time, the nonce in the request and other information, and a digital signature attached to the information.
And fifthly, the cloud user forwards the token to the resource management module.
And sixthly, the resource management module firstly extracts the digital signature in the token and checks the signature, and meanwhile, the token is checked to be consistent with the 'nonce' in the request.
If the authentication is passed, the resource management module extracts the user name 'username' as id (namely userId) and the identity 'tenant' of the tenant in the data storage moduleid"and so on as the input of the next step two, which is used to inquire the tenant identity.
The invention also provides a method for the resource management module to cooperate with the data storage module to check the user state and limit the speed of the password request. The speed limiting sub-steps are as follows:
the calculation type of the acquire key generation request "codeRequest".
Secondly, the request identity user is obtained according to the unified authentication processId"inquire about cloud user current state" cloud user identity. status ", and according to" identity. tenantid"query its tenant status" tenant identity status ". The current state refers to whether the current user can request calculation, and only has a yes state or a no state, and the status of the next tenant also only has a yes state or a no state, and refers to whether the tenant to which the user belongs is available.
Thirdly, obtaining the user's identity according to the unified authentication processIdThe ' and computing type ' codeRequest ' query redis database acquires the computing of the cloud userType Total speed quota "Algorithm. limit" and Current used speed "Algorithm. used".
If the current using speed is smaller than the total speed quota calculated by the cloud user in the type, the request (the request for encryption and decryption or signature verification) is allowed, the current using speed is updated, and otherwise, the request is rejected.
And fifthly, the speed limit module simultaneously and periodically queries speed use condition time limit algorithm, timevalid and once the time limit is found to be expired, the current use speeds calculated by all types of all users are cleared so as to limit the speed of the next second request.
In addition, in order to guarantee the credibility of the tenants and the subordinate access identities thereof in the actual password computing service process, the access authentication module verifies the identities by using an OpenId protocol in a third-party unified authentication mode, the resource management module performs load balancing control on the flow and performs speed limitation according to the speed quota of the cloud user, and after receiving the request packet of the cloud user, the resource management module performs format conversion on the request packet for requesting computing to the physical password machine cluster.
The invention has the advantages that:
the method and the system virtualize the cryptographic computing capability of the cryptographic computing equipment into resources and provide the resources for the cryptographic computing equipment, and simultaneously carry out reasonable and efficient resource management and scheduling on the cryptographic computing equipment, so that the cryptographic computing equipment can be used in the cloud, the special requirements of cloud computing on-demand computing, elastic expansion and multi-user are met, and the safety and the usability of the cryptographic computing equipment are improved.
Drawings
FIG. 1 is a system block diagram of the present invention.
Detailed Description
The present invention is described in further detail below with reference to the attached drawings.
As shown in fig. 1, the cloud cryptographic computing platform system of the present invention mainly includes four parts, namely, a physical cryptographic machine cluster, a resource management module, an access authentication module, and a data storage module.
The physical cipher machine provides cipher computing capability for outside, and mainly comprises cryptographic operations of national ciphers sm2, sm3 and sm4, and the cipher machine is used for mainly protecting a user master key, protecting an algorithm key by using the user master key, and protecting the cipher master key by using a key protection card, so that the safety of a computing platform is effectively guaranteed.
And the resource management module deployed on the resource management server controls and converts the password computing request of the cloud user according to the performance quota pre-allocated by the tenant, and forwards the password computing request to the physical password machine through a load balancing strategy to request actual password computing.
The access authentication module is responsible for identity authentication of the accessed cloud tenants and personnel under the tenants in a third party unified authentication mode.
The data storage module is mainly responsible for storing information of tenants and subordinates thereof and detailed information of the cipher machine and providing functions of query, addition, deletion and modification for the resource management module.
The invention provides a method for providing cryptographic service operation by a cloud cryptographic computing platform, which comprises the following steps:
the physical cryptographic engine loads the cryptographic calculation service.
And secondly, loading the resource management service by the resource management module, connecting the resource management service with the physical password machine, counting the computing capacity of the resource management service, and virtualizing the physical password machine into a cloud password machine with password computing capacity according to the computing capacity applied by the user.
And the resource management module is connected with a database of the data storage module, wherein the resource management module is mainly used for acquiring personal information of cloud tenants and cloud users subordinate to the cloud tenants.
And fourthly, starting the access authentication server as an access authentication module to provide a third party unified authentication function for the cloud password computing platform so as to authenticate the identity of the cloud user and the subordinate tenants thereof.
After the loading work is finished, the resource management module serves as a service module for providing password computing for the cloud platform, and password computing services with different types and performances are provided for cloud users according to different requests under the assistance of other modules.
And sixthly, the cloud user requests a password operation service from the resource management module, and firstly enters a unified authentication flow of the resource management server.
And seventhly, the resource management module receives the password calculation request packet of the cloud user, analyzes the request and then performs speed limit processing at first.
And after the speed limit processing is passed, the resource management module performs format conversion on the request packet to generate a request packet for actually requesting the physical cipher machine for cipher calculation.
And after the format conversion is finished, the resource management module sends the generated request packet to the physical cipher machine through a load balancing strategy.
After receiving the request packet, the cipher machine firstly generates a user master key through sm3hmac by using the cipher master key and the user identity 'userId', then decrypts the algorithm key 'keyBits' by using the user key through an sm4 decryption algorithm, and then performs cipher calculation.
And returning the result to the resource management module after the password computer completes the calculation, and sending the result to the cloud user by the resource management server.
And twelfth, completing the service.
Through the system and the method, the traditional password equipment providing the password service is uniformly managed and virtualized into a plurality of logically independent virtual password machines, so that the password service meets the special requirements of cloud computing on-demand distribution and multiple users, can be used in the environment of cloud computing, and ensures the safety of the password equipment.
It should be noted that, for the foregoing embodiment, for simplicity of description, the combination of some sequences of actions is described, but those skilled in the art should understand that the present application is not limited by the described actions, as some steps may be performed in other sequences or simultaneously according to the present application.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a ROM, a RAM, etc.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (9)

1. A method of computing services, the steps comprising:
1) starting up n physical cipher machines to form a physical cipher machine cluster, and connecting the physical cipher machine cluster to a resource management module;
2) synchronizing the master keys of the n physical cipherers to make them share the master key K of the ciphererm
3) After receiving the key generation request, the resource management server selects a physical cipher machine A from the physical cipher machine cluster; then sending the received key generation request to a physical cipher machine A for operation;
4) the user identity user in each key generation request of the physical cipher machine AidUsing a master key KmProcessing the key by using a key generation algorithm to generate a user master key K of the corresponding useri
5) The physical cipher machine A generates an algorithm key AK according to the calculation type of the key generation requestiThen using the user master key KiPair algorithm key AKiEncrypted to obtain [ AKi]KiAnd sends it to the resource management module;
6) when a user i requests to perform a calculation service j, the resource management module utilizes a key [ AK ] corresponding to the user ii]KiAdding the encrypted data into a request of a user for encryption and decryption or signature verification and sending the encrypted data to a physical cipher machine B in a physical cipher machine cluster for calculation;
7) the physical cipher machine B uses the user according to the identity in the requestidAnd a master key KmThe user master key K of the user i is obtained by applying the key generation algorithm to decryptiUsing the user master key KiFor [ AK in requesti]KiDecrypt and utilize AKiCompleting the computation service j.
2. The method as claimed in claim 1, wherein in step 3), after receiving the key generation request, the resource management server first authenticates the user who sent the key generation request, and if the authentication is passed, selects a physical cryptographic engine a from the physical cryptographic engine cluster.
3. The method of claim 2, wherein the method of authenticating the user who issued the key generation request is:
31) the resource management server judges whether the current user has a legal identity or not, and if not, an identity authentication data packet is returned to the user; wherein, the information in the identity authentication data packet comprises: the resource management server identifies client _ id, is used for receiving the address redirect _ uri of the user identity certificate issued by the unified authentication system, the response format response _ type of the unified authentication system requested by the resource management server, the range scope of the user authorization data requested by the resource management server, and the random number nonce;
32) the user sends the user name username and the password of the user to the unified authentication system for authentication according to the response format response _ type;
33) the unified authentication system returns a token to the user after passing the authentication of the user name and the password of the user, wherein the information in the token comprises an identity identification audrience requesting for logging in the application, an identity identification issuer issuing a user credential system, an identity identification sub of the user and a random number nonce, and is accompanied with a digital signature of the information;
34) the user forwards the token to the resource management module;
35) the resource management module checks the token and checks whether the random number nonce in the token is consistent with the random number nonce in the identity authentication data packet; if the two are consistent, the authentication is passed.
4. The method of claim 3, wherein after the authentication is passed, the resource management module extracts a user name username of the user to query the current state of the user; and from a unified authentication systemObtaining the tenant identity of the user in the systemidAccording to the tenant identity tentatidQuerying the tenant state; then according to the user identity useridAnd the calculation type codeRequest queries the total speed quota and the current used speed of the calculation type of the user; if the current used speed is less than the total speed quota calculated by the user in the type, allowing the request to encrypt and decrypt or sign the request for checking the signature, updating the current used speed, and then performing step 7); otherwise, the request for encryption and decryption or signature verification is refused.
5. The method of claim 1, wherein the master keys of n physical crypto-engines are synchronized by using a crypto-protection card to share crypto-engine master key Km; and the master key Km only exists in the cipher machine password protection card.
6. A cloud password computing platform is characterized by comprising a physical password machine cluster consisting of n physical password machines, a resource management module and a resource management server; wherein, the n physical cipherers share cipher master key Km
The resource management server is used for selecting a physical cipher machine A from the physical cipher machine cluster after receiving the key generation request; then sending the received key generation request to a physical cipher machine A for operation;
a physical cryptographic engine for generating the user identity user in the request for each keyidUsing a master key KmProcessing the key by using a key generation algorithm to generate a user master key K of the corresponding useri(ii) a And generating an algorithm key AK according to the calculation type of the key generation requestiThen using the user master key KiPair algorithm key AKiEncrypted to obtain [ AKi]KiAnd sends it to the resource management module; and according to the identity of the user in the requestidAnd a master key KmThe user master key K of the user i is obtained by applying the key generation algorithm to decryptiUsing the user master key KiFor [ AK in requesti]KiDecrypt and utilize AKiCompleting the computation service j;
a resource management module for storing the received [ AK ]i]Ki(ii) a And when the user i requests to calculate the service j, utilizing the key [ AK ] corresponding to the user ii]KiAnd adding the encrypted data into a request of a user for encryption and decryption or signature verification and sending the encrypted data to a physical cipher machine B in the physical cipher machine cluster for calculation.
7. The cloud computing platform of claim 6, further comprising an authentication module; after receiving the key generation request, the resource management server firstly authenticates the user sending the key generation request, and the method comprises the following steps: the resource management server judges whether the current user has a legal identity or not, and if not, an identity authentication data packet is returned to the user; wherein, the information in the identity authentication data packet comprises: the resource management server identifies client _ id, is used for receiving the address redirect _ uri of the user identity certificate issued by the unified authentication system, the response format response _ type of the unified authentication system requested by the resource management server, the range scope of the user authorization data requested by the resource management server, and the random number nonce; then receiving a user name username and a password sent by a user according to the response format response _ type; the authentication module returns a token to the user after authenticating the user name and the password of the user, wherein the information in the token comprises an identity identification audrience requesting to login an application, an identity identification issuer issuing a user credential system, an identity identification sub of the user and a random number nonce, and a digital signature of the information is attached; then the resource management module receives the token sent by the user, and checks whether the random number nonce in the token is consistent with the random number nonce in the identity authentication data packet after the token is checked to pass; if the two are consistent, the authentication is passed.
8. The cloud computing platform of claim 7, further comprising a rate limit module; after the authentication is passed, the resource management module extracts a user name username of the user to inquire the current state of the user; speed limiting dieThe block obtains the tenant identity tentant of the user from the unified authentication systemidAccording to the tenant identity tentatidQuerying the tenant state; then according to the user identity useridAnd the calculation type codeRequest queries the total speed quota and the current used speed of the calculation type of the user; if the current used speed is smaller than the total speed quota calculated by the user in the type, allowing the request to encrypt and decrypt or sign the request for checking the signature, and updating the current used speed; otherwise, the request for encryption and decryption or signature verification is refused.
9. The cloud computing platform of claim 6, wherein master keys of n physical crypto machines are synchronized using the crypto protection card to share crypto master key Km; and the master key Km only exists in the cipher machine password protection card.
CN201910671174.3A 2019-07-24 2019-07-24 Cloud password computing platform and computing service method Active CN110572258B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910671174.3A CN110572258B (en) 2019-07-24 2019-07-24 Cloud password computing platform and computing service method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910671174.3A CN110572258B (en) 2019-07-24 2019-07-24 Cloud password computing platform and computing service method

Publications (2)

Publication Number Publication Date
CN110572258A CN110572258A (en) 2019-12-13
CN110572258B true CN110572258B (en) 2021-12-14

Family

ID=68773803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910671174.3A Active CN110572258B (en) 2019-07-24 2019-07-24 Cloud password computing platform and computing service method

Country Status (1)

Country Link
CN (1) CN110572258B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245813B (en) * 2020-01-07 2022-04-29 北京数字认证股份有限公司 Cryptographic resource pool system, encryption method, electronic device, and storage medium
CN113821305B (en) * 2021-09-15 2023-02-10 中电信数智科技有限公司 Cloud password service calling method based on Docker and middleware system
CN114741169B (en) * 2022-03-30 2024-02-13 天津大学 Multi-task scheduling method for heterogeneous password computing service of load aggregation public service platform
CN114866346B (en) * 2022-07-06 2022-09-13 北京神州安付科技股份有限公司 Password service platform based on decentralization
CN115189896B (en) * 2022-09-13 2023-01-03 中安网脉(北京)技术股份有限公司 Virtual cloud password service system and method
CN117077123A (en) * 2023-08-18 2023-11-17 长春吉大正元信息技术股份有限公司 Service processing method and device for multiple password cards and electronic equipment
CN116893903B (en) * 2023-09-11 2023-12-08 北京格尔国信科技有限公司 Encryption resource allocation method, system, equipment and storage medium

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005041454A2 (en) * 2003-10-22 2005-05-06 Speedus Corp. Wireless broadband licensed networking system for local and wide area networking
US8862878B2 (en) * 2010-11-19 2014-10-14 International Business Machines Corporation Authentication and authorization of a device by a service using broadcast encryption
KR101636028B1 (en) * 2012-01-20 2016-07-04 인터디지탈 패튼 홀딩스, 인크 Identity management with local functionality
CN103634339A (en) * 2012-08-22 2014-03-12 中国银联股份有限公司 Virtual encryptor device, financial encryptor and method of encrypting message
CN103297428B (en) * 2013-05-20 2016-04-27 南京邮电大学 A kind of cloud storage system data guard method
CN104202421A (en) * 2014-09-19 2014-12-10 浪潮电子信息产业股份有限公司 Cloud computing based password service system
US10104084B2 (en) * 2015-07-30 2018-10-16 Cisco Technology, Inc. Token scope reduction
CN105072180B (en) * 2015-08-06 2018-02-09 武汉科技大学 A kind of cloud storage data safety sharing method for having permission time control
CN105678156B (en) * 2016-01-04 2019-06-28 成都卫士通信息产业股份有限公司 A kind of cloud cryptographic service platform and its workflow based on virtualization technology
CN205427860U (en) * 2016-03-12 2016-08-03 福建博士通信息有限责任公司 Finance encryption equipment
CN106603243B (en) * 2016-04-08 2020-06-16 数安时代科技股份有限公司 Private key processing method and device for digital signature
CN107040589B (en) * 2017-03-15 2019-10-25 西安电子科技大学 The system and method for cryptographic service is provided by virtualization encryption device cluster
CN107483191B (en) * 2017-08-16 2020-04-14 浪潮集团有限公司 SM2 algorithm key segmentation signature system and method
CN108259175B (en) * 2017-12-28 2020-12-11 成都卫士通信息产业股份有限公司 Distributed password service method and system
CN108306972A (en) * 2018-02-06 2018-07-20 山东渔翁信息技术股份有限公司 A kind of cloud cryptographic service method, platform, system and computer readable storage medium
CN108429735A (en) * 2018-02-11 2018-08-21 众算(上海)数据科技有限公司 A kind of data ciphering method
CN109525544B (en) * 2018-06-01 2021-08-13 中央军委后勤保障部信息中心 Business system access method and system based on cipher machine cluster

Also Published As

Publication number Publication date
CN110572258A (en) 2019-12-13

Similar Documents

Publication Publication Date Title
CN110572258B (en) Cloud password computing platform and computing service method
CN112989415B (en) Private data storage and access control method and system based on block chain
CN111488598B (en) Access control method, device, computer equipment and storage medium
US10516527B1 (en) Split-key based cryptography system for data protection and synchronization across multiple computing devices
CN112580102A (en) Multi-dimensional digital identity authentication system based on block chain
EP3596680A1 (en) Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication
CN111212084B (en) Attribute encryption access control method facing edge calculation
CN103780607B (en) The method of the data de-duplication based on different rights
CN103259663A (en) User unified authentication method in cloud computing environment
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN101405759A (en) Method and apparatus for user centric private data management
JP2008538264A (en) Derived seed
CN101834853A (en) Method and system for sharing anonymous resource
Liu et al. EMK-ABSE: Efficient multikeyword attribute-based searchable encryption scheme through cloud-edge coordination
Rana et al. Secure and ubiquitous authenticated content distribution framework for IoT enabled DRM system
WO2022242572A1 (en) Personal digital identity management system and method
Guo et al. Using blockchain to control access to cloud data
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
Khan et al. A brief review on cloud computing authentication frameworks
Kumar et al. Multi-authentication for cloud security: A framework
Su et al. A User‐Centric Data Secure Creation Scheme in Cloud Computing
Chen et al. A self-sovereign decentralized identity platform based on blockchain
CN115021927B (en) Administrator identity management and control method and system for cryptographic machine cluster
Hammami et al. Security issues in cloud computing and associated alleviation approaches
Xie et al. A blockchain-based proxy oriented cloud storage public audit scheme for low-performance terminal devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant